Security Advisories

FSC-2006-4: SCANNING BYPASS VULNERABILITY

Description

Antivirus products for Windows client and server systems fail to detect malware under certain circumstances. Failures of this kind may lead to malware infections on protected systems. Linux, Mobile and Windows-based gateway products are not affected by the vulnerability.

Sendmail released a low risk security advisory on June 14th 2006. The Sendmail Advisory is located at http://www.sendmail.com/security/advisories/SA-200605-01.txt.asc. F-Secure Messaging Security Gateway products use Sendmail.

During message delivery, certain deeply nested malformed MIME messages can cause the MIME 8-bit to 7-bit conversion routine to exhaust the per-process stack space memory available and cause that process to abort. Depending on system configuration, this may also cause a core dump for that process to be written to disk.

Hotfix is distributed automatically by the delivery system. Users of these products do not need to take any action. This means that virtually all affected systems will be patched automatically shortly after publication of this advisory.

This vulnerability is being tracked as CVE-2006-1173 and can be found at http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1173.

How to validate that patch has been installed: The user can validate patch installation by opening the Administration Console and checking System - Update Service. The patch should be listed under Software Patch History as patch_0000251.

Affected Products

Risk Level:HIGH (Low/Medium/High/Critical)

F-Secure Anti-Virus 2003 - 2006

F-Secure Internet Security 2003 - 2006

F-Secure Service Platform for Service Providers 6.xx and earlier

F-Secure Anti-Virus for Workstations version 5.44 and earlier

F-Secure Anti-Virus Client Security version 6.01 and earlier

F-Secure Anti-Virus for Windows Servers version 5.52 and earlier

F-Secure Anti-Virus for Citrix Servers version 5.50 - 5.52

F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier

Note: Earlier versions of F-Secure Service Platform for Service Providers are known as F-Secure Personal Express

Risk Level: MEDIUM (Low/Medium/High/Critical)

F-Secure Anti-Virus 2003 - 2006

F-Secure Anti-Virus 2003 - 2006

F-Secure Internet Security 2003 - 2006

F-Secure Service Platform for Service Providers 6.xx and earlier

F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier

Co-branded service provider concepts based on one of the above products

Note: Earlier versions of F-Secure Service Platform for Service Providers are known as F-Secure Personal Express

Notes for F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier These systems are affected by the vulnerability but their main task is typically to filter mail traffic. The vulnerability only affects local use of the computer and the risk for infection is thus significantly lower. F-Secure recommends that administrators of systems in this category apply the needed hotfix or upgrade to a version that is not affected, if available.

Risk Level:HIGH (Low/Medium/High/Critical)

All other affected products

Notes for all other products All these products are typically used on systems where programs are executed both from the hard drive and removable media. F-Secure recommends that administrators of systems in this category apply the needed hotfix or upgrade to a version that is not affected, if available.

Platforms

Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003. Some of the affected product versions support other platforms than those mentioned above. Installations on such platforms are not affected by the vulnerability.

Mitigating Factors

Products for home users and service provider concepts use automatic hotfix distribution and will be patched without user actions. The ability to execute program files with modified names is decreased. Some of the methods that normally can be used to launch a program fail with files modified in this way. The scanning failure on removable media only occurs if the Scan network drives option has been turned off. Linux, Mobile and Windows-based gateway products are not affected by the vulnerability. The vulnerability only affects some of the platforms that the affected products support.